Safety to the Weak! Security Through Feebleness: An Unorthodox - - PowerPoint PPT Presentation
Safety to the Weak! Security Through Feebleness: An Unorthodox Manifesto Rick McGeer, US Ignite Outline What does malware exploit? Why cant we find bugs? The Turing Hierarchy and the Verification Hierarchy Language
Safety to the Weak!
Security Through Feebleness: An Unorthodox Manifesto
Rick McGeer, US Ignite
Outline
Undecidable?
How Does Malware Work?
handling
acceptable.
Easier Said Than Done! Why Can’t We Find Bugs?
Turing Machine Halts is Undecidable
⇒ Can’t tell if a line of code is executed ⇒ Can’t find a bug deterministically
Machines for everything?
Turing-Complete Languages
✓ Easy to build ✓ Powerful
○ “I can do anything in language XYZ”
✗ Often more powerful than required ✗ Impossible to verify
The Turing Hierarchy And the Verification Hierarchy
Model of Computation Complexity of Verification Logic-Free (Isomorphism Check) Polynomial State-Free NP-Complete Finite-State Various from NP-Complete to P-Space Complete* Turing Complete Undecidable
* Depends on exact variant of temporal logic being used Powerful enough for many applications but largely unused in programming!
A Cautionary Tale: Verilog and VHDL
○ “Datapath” is combinatory (state-free) ○ “Control” is a collection of finite-state machines
○ BDD-based, powerful SAT tools... ○ Products from every major Electronic Design Automation vendor ○ Various startups over the years…
languages
VHDL...
Verilog and VHDL
○ Before Formal Verification in the early ‘90s ○ Era of 1980’s:
■ Mostly hand design (of logic, at least) ■ Only really prevalent EDA tool (for logic) was simulation
○ Grew up as simulator programming languages
clean semantics
○ Metaphors appealing to designers
Verilog and VHDL
○ Hard to tell what the hardware was ○ Couldn’t formally verify a design ○ Couldn’t even “synthesize” (aka, compile) it into hardware
○ “Synthesis” semantics (aka, figure out what was really hardware) ○ “Synthesizable” subsets of languages
○ “Computational” semantics of C/Java/Python/etc… ○ “Compilable” subsets of programming languages….
A Positive Tale: How Networking Became Verifiable
Control Plane Data Plane Forwarding Tables (State-Free) Packets Packets Control Signaling Control Signaling Traditional Switch
Control + Data Turing Machine ✓ Ran autonomously (no external control) ✗ Verification Undecidable
Software-Defined Networking: Off With Its Head!
Data Plane Forwarding Tables (State-Free) Packets Packets SDN Switch
Packets, sends state information to controller ✗ Requires External Controller ✓ Verification In NP
External Controller
State Information
Key Points
be programmed) but also provided verification
logic network
○ Could verify network of forwarding tables with SAT engine
○ Don’t verify controller -- verify its output before updating network
○ Update schedule that preserved invariants (aka, bug-free network)
Anatomy of an SDN Ecosystem
Desired Network Specifications Controller State-Free Forwarding Table State-Free Forwarding Table Desired Network Specifications Finite-state or state-free, verifiable! State-free, verifiable!
Input verifiable,
⇒ System verifiable
Extension to SDI Deployment
particular application
accomplish task
○ Allocate VMs and Containers ○ Use SDN to configure networks ○ Use Orchestration Engines (Ansible, Heat, e.g.)
■ Finite-state or restricted-state
SDN specification languages to generate SDI Specs
Wild Speculation...Is Verifying Turing Machines Really Undecidable?
unverifiable TM at its heart
○ Verify the inputs to the TM and its outputs
○ Surround the program with a verifiable model and verify that
A “Verifiable” Program
Program Inputs Outputs Unverifiable Finite-State Program Verifiable Finite-State Input Generator Finite-State Output Spec
A “Verifiable” Program
Program Inputs Outputs Finite-State Program Finite-State Input Generator Finite-State Output Spec Finite-State Input Generator
Runtime Correspondence Checking
A Final Word...
environments/languages with an eye to verification
execution